C
CrowdSec6d ago
ook

ban disappeared before expiration

Yesterday, I manually added a decision about the IP 190.108.82.105 for 960h. I checked it was correctly displayed in CrowdsecSec decisions. Some minutes ago I got hit by my CEO because the hacker used that IP again today. I checked the traefik bouncer was effective by banning myself for 15min with success. Why the 960h ban disappeared in less than 24h ? Thank you.
- CrowdSec Console
CrowdSec is an open-source and collaborative security stack leveraging the crowd power. Analyze behaviors, respond to attacks & share signals across the community. Join the community and let's make the Internet safer, together.
7 Replies
CrowdSec
CrowdSec6d ago
Important Information
Thank you for getting in touch with your support request. To expedite a swift resolution, could you kindly provide the following information? Rest assured, we will respond promptly, and we greatly appreciate your patience. While you wait, please check the links below to see if this issue has been previously addressed. If you have managed to resolve it, please use run the command /resolve or press the green resolve button below.
Log Files
If you possess any log files that you believe could be beneficial, please include them at this time. By default, CrowdSec logs to /var/log/, where you will discover a corresponding log file for each component.
Guide Followed (CrowdSec Official)
If you have diligently followed one of our guides and hit a roadblock, please share the guide with us. This will help us assess if any adjustments are necessary to assist you further.
Screenshots
Please forward any screenshots depicting errors you encounter. Your visuals will provide us with a clear view of the issues you are facing.
© Created By WhyAydan for CrowdSec ❤️
iiamloz
iiamloz6d ago
So if you check cscli decisions list --ip 190.108.82.105 you still see it? please note, that using traefik does stop the request from going downstream to your application. However, it doesnt completely block the connection so scenarios can trigger again / get logged by traefik. So if you see a trigger it doesnt mean it wasnt blocked but they hit your infrastructure.
ook
ookOP6d ago
I see it in decisions tab on the website, I don’t see it in cscli on lapi. and he definitly reach our application since he exploited some leaked passwords (dude seriously, never reuse the same password on different services…) oh, I see on the site the status is « applying » seems the site can’t reach my lapi. How possible?
iiamloz
iiamloz6d ago
what version is your crowdsec?
ook
ookOP6d ago
crowdsec-lapi-7678bd9784-4qtcd:/# cscli version
version: v1.6.8-f209766e
Codename: alphaga
BuildDate: 2025-03-25_15:56:53
GoVersion: 1.24.1
Platform: docker
libre2: C++
User-Agent: crowdsec/v1.6.8-f209766e-docker
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
Built-in optional components: cscli_setup, datasource_appsec, datasource_cloudwatch, datasource_docker, datasource_file, datasource_http, datasource_journalctl, datasource_k8s-audit, datasource_kafka, datasource_kinesis, datasource_loki, datasource_s3, datasource_syslog, datasource_victorialogs, datasource_wineventlog
crowdsec-lapi-7678bd9784-4qtcd:/# cscli version
version: v1.6.8-f209766e
Codename: alphaga
BuildDate: 2025-03-25_15:56:53
GoVersion: 1.24.1
Platform: docker
libre2: C++
User-Agent: crowdsec/v1.6.8-f209766e-docker
Constraint_parser: >= 1.0, <= 3.0
Constraint_scenario: >= 1.0, <= 3.0
Constraint_api: v1
Constraint_acquis: >= 1.0, < 2.0
Built-in optional components: cscli_setup, datasource_appsec, datasource_cloudwatch, datasource_docker, datasource_file, datasource_http, datasource_journalctl, datasource_k8s-audit, datasource_kafka, datasource_kinesis, datasource_loki, datasource_s3, datasource_syslog, datasource_victorialogs, datasource_wineventlog
hum… well. There’s no ingress so CS can « push » to my lapi pod. Is lapi periodically pulling manual decision made on the website UI?
iiamloz
iiamloz6d ago
On your version, not unless you specified the console management flag, on version 1.6.11 the latest this flag is no more and the engine automatically enables this if your on an enterprise account So best if you upgrade when you can to the latest version if possible.
ook
ookOP6d ago
Will do soon. Thank you.

Did you find this page helpful?